saml2: only allow local URLs as redirections (#43279)
This commit is contained in:
parent
66de9cdd5c
commit
05c1573e38
|
@ -18,6 +18,7 @@ from wcs.qommon.misc import get_lasso_server
|
||||||
from wcs.qommon.saml2 import Saml2Directory
|
from wcs.qommon.saml2 import Saml2Directory
|
||||||
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
|
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
|
||||||
from wcs.qommon import sessions, x509utils
|
from wcs.qommon import sessions, x509utils
|
||||||
|
from wcs.qommon.errors import RequestError
|
||||||
from wcs.roles import Role
|
from wcs.roles import Role
|
||||||
|
|
||||||
from utilities import get_app, create_temporary_pub, clean_temporary_pub
|
from utilities import get_app, create_temporary_pub, clean_temporary_pub
|
||||||
|
@ -303,12 +304,21 @@ def test_assertion_consumer_redirect_after_url(pub):
|
||||||
|
|
||||||
def test_assertion_consumer_full_url_redirect_after_url(pub):
|
def test_assertion_consumer_full_url_redirect_after_url(pub):
|
||||||
req = get_assertion_consumer_request(pub)
|
req = get_assertion_consumer_request(pub)
|
||||||
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
|
req.form['RelayState'] = 'http://example.net/foobar/?test=ok'
|
||||||
saml2 = Saml2Directory()
|
saml2 = Saml2Directory()
|
||||||
saml_response_body = req.form['SAMLResponse']
|
saml_response_body = req.form['SAMLResponse']
|
||||||
body = saml2.assertionConsumerPost()
|
body = saml2.assertionConsumerPost()
|
||||||
assert req.response.status_code == 303
|
assert req.response.status_code == 303
|
||||||
assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok'
|
assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok'
|
||||||
|
|
||||||
|
|
||||||
|
def test_assertion_consumer_external_url_redirect_after_url(pub):
|
||||||
|
req = get_assertion_consumer_request(pub)
|
||||||
|
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
|
||||||
|
saml2 = Saml2Directory()
|
||||||
|
saml_response_body = req.form['SAMLResponse']
|
||||||
|
with pytest.raises(RequestError):
|
||||||
|
body = saml2.assertionConsumerPost()
|
||||||
|
|
||||||
|
|
||||||
def test_saml_login_page(pub):
|
def test_saml_login_page(pub):
|
||||||
|
|
|
@ -355,6 +355,9 @@ class Saml2Directory(Directory):
|
||||||
netloc = parsed_url.netloc or request.get_server()
|
netloc = parsed_url.netloc or request.get_server()
|
||||||
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
|
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
|
||||||
parsed_url.fragment))
|
parsed_url.fragment))
|
||||||
|
if not (after_url.startswith(get_publisher().get_backoffice_url()) or
|
||||||
|
after_url.startswith(get_publisher().get_frontoffice_url())):
|
||||||
|
raise errors.RequestError()
|
||||||
else:
|
else:
|
||||||
after_url = get_publisher().get_frontoffice_url()
|
after_url = get_publisher().get_frontoffice_url()
|
||||||
response.set_status(303)
|
response.set_status(303)
|
||||||
|
|
Loading…
Reference in New Issue